Securing and Optimizing Linux: RedHat Edition -A Hands on Guide
PrevChapter 5. General System SecurityNext

5.8. The inetd - /etc/inetd.conf file

inetd, called also the super server, will load a network program based upon a request from the network. The inetd.conf file tells inetd which ports to listen to and what server to start for each port.

The first thing to look at as soon as you put your Linux system on ANY network is what services you need to offer. Services that you do not need to offer should be disabled and uninstalled so that you have one less thing to worry about, and attackers have one less place to look for a hole. Look at your /etc/inetd.conf file to see what services are being offered by your inetd program. Disable what you do not need by commenting them out by adding a # at the beginning of the line, and then sending your inetd process a SIGHUP command to update it to the current inetd.conf file.

  1. Change the permissions on this file to 600. 
    
             [root@deep] /#chmod 600  /etc/inetd.conf

  2. Ensure that the owner is root. 
    
             [root@deep] /# stat /etc/inetd.conf
             
    
             File: "/etc/inetd.conf"
             Size: 2869         Filetype: Regular File
             Mode: (0600/-rw-------)         Uid: (    0/    root)  Gid: (    0/    root)
             Device:  8,6   Inode: 18219     Links: 1    
             Access:	Wed	Sep	22	16:24:16	1999(00000.00:10:44)
             Modify:	Mon	Sep	20	10:22:44	1999(00002.06:12:16)
             Change:	Mon	Sep	20	10:22:44	1999(00002.06:12:16)

  3. Edit the inetd.conf file vi /etc/inetd.conf and disable services like: ftp, telnet, shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger, auth, etc. unless you plan to use it. If it's turned off, it's much less of a risk. 
    
             # To re-read this file after changes, just do a 'killall -HUP inetd'
             #
             #echo	stream	tcp	nowait	root	internal
             #echo	dgram	udp	wait	root	internal
             #discard	stream	tcp	nowait	root	internal
             #discard	dgram	udp	wait	root	internal
             #daytime	stream	tcp	nowait	root	internal
             #daytime	dgram	udp	wait	root	internal
             #chargen	stream	tcp	nowait	root	internal
             #chargen	dgram	udp	wait	root	internal
             #time	stream	tcp	nowait	root	internal
             #time	dgram	udp	wait	root	internal
             #
             # These are standard services.
             #
             #ftp	stream	tcp	nowait	root	/usr/sbin/tcpd	in.ftpd -l -a
             #telnet 	stream	tcp	nowait	root	/usr/sbin/tcpd	in.telnetd
             #
             # Shell, login, exec, comsat and talk are BSD protocols.
             #
             #shell	stream	tcp	nowait	root	/usr/sbin/tcpd	in.rshd
             #login	stream	tcp	nowait	root	/usr/sbin/tcpd	in.rlogind
             #exec	stream	tcp	nowait	root	/usr/sbin/tcpd	in.rexecd
             #comsat	dgram	udp	wait	root	/usr/sbin/tcpd	in.comsat
             #talk	dgram	udp	wait	root	/usr/sbin/tcpd	in.talkd
             #ntalk	dgram	udp	wait	root	/usr/sbin/tcpd	in.ntalkd
             #dtalk 	stream	tcp	wait	nobody	/usr/sbin/tcpd	in.dtalkd
             #
             # Pop and imap mail services et al
             #
             #pop-2	stream	tcp	nowait	root	/usr/sbin/tcpd	ipop2d
             #pop-3	stream	tcp	nowait	root	/usr/sbin/tcpd	ipop3d
             #imap	stream	tcp	nowait	root	/usr/sbin/tcpd	imapd
             #
             # The Internet UUCP service.
             #
             #uucp	stream	tcp	nowait	uucp	/usr/sbin/tcpd  /usr/lib/uucp/uucico    -l
             #
             # Tftp service is provided primarily for booting.  Most sites
             # run this only on machines acting as "boot servers." Do not uncomment
             # this unless you *need* it.  
             #
             #tftp	dgram	udp	wait	root	/usr/sbin/tcpd	in.tftpd
             #bootps	dgram	udp	wait	root	/usr/sbin/tcpd	bootpd
             #
             # Finger, systat and netstat give out user information which may be
             # valuable to potential "system crackers."  Many sites choose to disable 
             # some or all of these services to improve security.
             #
             #finger	stream	tcp	nowait	root	/usr/sbin/tcpd	in.fingerd
             #cfinger	stream	tcp	nowait	root	/usr/sbin/tcpd	in.cfingerd
             #systat	stream	tcp	nowait	guest	/usr/sbin/tcpd	/bin/ps -auwwx
             #netstat	stream	tcp	nowait	guest	/usr/sbin/tcpd	/bin/netstat    -f inet
             #
             # Authentication
             #
             #auth	stream	tcp	nowait	nobody	/usr/sbin/in.identd    in.identd -l -e -o
             #
             # End of inetd.conf
             

  4. 
             [root@deep] /# killall  -HUP inetd

  5. One more security measure you can take to secure the inetd.conf file is to set it immutable, using the chattr command. To set the file immutable simply, execute the following command: 
    
             [root@deep] /# chattr  +i /etc/inetd.conf
    This will prevent any changes accidental or otherwise to the inetd.conf file. A file with the immutable attribute set i cannot be modified, deleted or renamed, no link can be created to this file and no data can be written to it. The only person that can set or clear this attribute is the super-user root. If you wish later to modify the inetd.conf file you will need to unset the immutable flag: To unset the immutable flag, simply execute the following command: 
    
             [root@deep] /# chattr -i /etc/inetd.conf

Note: Don't forget to send your inetd process a SIGHUP signal killall -HUP inetd after making change to your inetd.conf file. The services you enable on a selected host depend on the functions you want the host to provide. Functions could support the selected network service, other services hosted on this computer, or development and maintenance of the operating system and applications.

PrevHomeNext
Disable all console accessUpTCP_WRAPPERS